AT

AttackTrace

Browse techniquesThreat activityBrowse ATLASSearch
HomeThreat Activity
Home

Reviewed threat activity

APT28 Nearest Neighbor Campaign

The APT28 Nearest Neighbor campaign demonstrated creative access through nearby networks, emphasizing wireless discovery, credential use, remote access, and stealthy movement into target environments.

MITRE ATT&CKConfidence: high
T1669T1016.002T1078T1021.001

How The Activity Unfolds In ATT&CK

Nearest Neighbor is valuable because it expands the access story beyond phishing and internet-facing exploits. The sequence starts with nearby wireless access, then uses credentials and remote access paths to reach the target.

  1. T1669 Wi-Fi Networks. Wireless networks become part of the intrusion path.
  2. T1016.002 Wi-Fi Discovery. Discovery identifies usable wireless configuration and exposure.
  3. T1078 Valid Accounts. Legitimate credentials reduce friction once access is established.
  4. T1021.001 Remote Desktop Protocol. Remote access supports movement into target systems.

Defender Readout

This activity belongs in the top set because it forces defenders to consider wireless adjacency, third-party proximity, and remote access logs in one investigation.

Evidence And Mapping Rationale

T1669Wi-Fi Networks
Wi-Fi Networks

MITRE maps the campaign to Wi-Fi network discovery and use.

T1016.002Wi-Fi Discovery
Wi-Fi Discovery

MITRE maps the actor to discovery of wireless network configuration.

T1078Valid Accounts
Valid Accounts

MITRE maps the campaign to legitimate account use.

T1021.001Remote Desktop Protocol
Remote Desktop Protocol

MITRE maps remote desktop use as part of the campaign.